Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Trying to convert .pem -key only- to .pkcs12 file.

198 views
Skip to first unread message

Jeremy M. Guthrie

unread,
Mar 19, 2004, 12:38:21 PM3/19/04
to
=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've tried the following and I always get "No certificate matches private=20
key".
openssl pkcs12 -in key.pem -out key.pkcs12 -export
openssl pkcs12 -in key.pem -out key.pkcs12 -export -nocerts
openssl pkcs12 -export -in key.pem -inkey key.pem -out key.pkcs12 -nocerts=
=20
=2D -name "Sample name"

The RSA key was originally generated on a Cisco Content Service Switch 1150=
6=20
w/ a SSL Accelerator module.

Please advise.

=2D --=20
Jeremy M. Guthrie
Systems Engineer
Berbee
5520 Research Park Dr.
Madison, WI 53711
Phone: 608-298-1061

Berbee...Decade 1. 1993-2003
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAWzAZqtjaBHGZBeURAtTFAKCGQ0s0qngOifod2DACwVWSAzvLhwCffIBj
7TpcLh0rEjH5nYrUFiFjnFA=3D
=3Dskpw
=2D----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Jeremy M. Guthrie

unread,
Mar 19, 2004, 12:51:56 PM3/19/04
to
=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

and what if the file does not contain a certificate in it? Just a key?

On Friday 19 March 2004 11:31 am, Amar Desai wrote:
> Jeremy M. Guthrie wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----


> >Hash: SHA1
> >
> >I've tried the following and I always get "No certificate matches private

> >key".
> >openssl pkcs12 -in key.pem -out key.pkcs12 -export
>

> It should work fine if your "key.pem" contains a valid key and matching
> certificate. The error you are getting suggests that your key.pem
> doesn't contain the certificate.
>
> Amar

=2D --=20
Jeremy M. Guthrie
Systems Engineer
Berbee
5520 Research Park Dr.
Madison, WI 53711
Phone: 608-298-1061

Berbee...Decade 1. 1993-2003
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAWzM3qtjaBHGZBeURAvXCAJ9i9bNOqzBPPD4Y49gx9rwakcTq9wCeJEge
l8hZI7GVL/xVPilIhF2ozeU=3D
=3D3KEm

Mike Gagnon

unread,
Mar 19, 2004, 12:54:24 PM3/19/04
to
You can't place a key without its certificate into a PKCS12. You need both - they are coupled
together in this type of file. You can even store certificates that were not created with the
supplied key, but at least one of the certificates must "match" the supplied key..

Mike

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've tried the following and I always get "No certificate matches private
key".
openssl pkcs12 -in key.pem -out key.pkcs12 -export

openssl pkcs12 -in key.pem -out key.pkcs12 -export -nocerts
openssl pkcs12 -export -in key.pem -inkey key.pem -out key.pkcs12 -nocerts

- -name "Sample name"

The RSA key was originally generated on a Cisco Content Service Switch 11506


w/ a SSL Accelerator module.

Please advise.

- --

Jeremy M. Guthrie
Systems Engineer
Berbee
5520 Research Park Dr.
Madison, WI 53711
Phone: 608-298-1061

Berbee...Decade 1. 1993-2003
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAWzAZqtjaBHGZBeURAtTFAKCGQ0s0qngOifod2DACwVWSAzvLhwCffIBj
7TpcLh0rEjH5nYrUFiFjnFA=
=skpw
-----END PGP SIGNATURE-----

Jeremy M. Guthrie

unread,
Mar 19, 2004, 1:06:30 PM3/19/04
to
=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

so is the idea then that I 'cat key.pem cert.pem > key+cert.pem' and run=20
openssl against key+cert.pem?

On Friday 19 March 2004 11:55 am, Mike Gagnon wrote:
> You can't place a key without its certificate into a PKCS12. You need
> both - they are coupled together in this type of file. You can even store
> certificates that were not created with the supplied key, but at least one
> of the certificates must "match" the supplied key..
>
> Mike
>
>
>

> I've tried the following and I always get "No certificate matches private
> key".
> openssl pkcs12 -in key.pem -out key.pkcs12 -export
> openssl pkcs12 -in key.pem -out key.pkcs12 -export -nocerts
> openssl pkcs12 -export -in key.pem -inkey key.pem -out key.pkcs12 -nocerts

> -name "Sample name"
>
> The RSA key was originally generated on a Cisco Content Service Switch
> 11506 w/ a SSL Accelerator module.
>
> Please advise.

=2D --=20


Jeremy M. Guthrie
Systems Engineer
Berbee
5520 Research Park Dr.
Madison, WI 53711
Phone: 608-298-1061

Berbee...Decade 1. 1993-2003
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAWzZeqtjaBHGZBeURAiPlAJ92XgkfqQ7yxy4RFV5S5ZkQm/PXgQCePGfi
gplovPRXeqJApnSUysJqWFI=3D
=3D4JSR
=2D----END PGP SIGNATURE-----

Mike Gagnon

unread,
Mar 19, 2004, 1:15:41 PM3/19/04
to
I haven't tried that, but I think that might work. The easiest way is to use the certfile option
like Amar said...

Mike

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

so is the idea then that I 'cat key.pem cert.pem > key+cert.pem' and run

openssl against key+cert.pem?

On Friday 19 March 2004 11:55 am, Mike Gagnon wrote:
> You can't place a key without its certificate into a PKCS12. You need
> both - they are coupled together in this type of file. You can even store
> certificates that were not created with the supplied key, but at least one
> of the certificates must "match" the supplied key..
>
> Mike
>
>
>
> I've tried the following and I always get "No certificate matches private
> key".
> openssl pkcs12 -in key.pem -out key.pkcs12 -export
> openssl pkcs12 -in key.pem -out key.pkcs12 -export -nocerts
> openssl pkcs12 -export -in key.pem -inkey key.pem -out key.pkcs12 -nocerts
> -name "Sample name"
>
> The RSA key was originally generated on a Cisco Content Service Switch
> 11506 w/ a SSL Accelerator module.
>
> Please advise.

- --

Jeremy M. Guthrie
Systems Engineer
Berbee
5520 Research Park Dr.
Madison, WI 53711
Phone: 608-298-1061

Berbee...Decade 1. 1993-2003
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAWzZeqtjaBHGZBeURAiPlAJ92XgkfqQ7yxy4RFV5S5ZkQm/PXgQCePGfi
gplovPRXeqJApnSUysJqWFI=
=4JSR
-----END PGP SIGNATURE-----

Jeremy M. Guthrie

unread,
Mar 19, 2004, 1:23:26 PM3/19/04
to
=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

openssl pkcs12 -in key.pem -out key.pkcs12 -export -certfile cert.pem


No certificate matches private key


On Friday 19 March 2004 12:19 pm, Mike Gagnon wrote:
> I haven't tried that, but I think that might work. The easiest way is to
> use the certfile option like Amar said...
>
> Mike
>

> so is the idea then that I 'cat key.pem cert.pem > key+cert.pem' and run
> openssl against key+cert.pem?
>
> On Friday 19 March 2004 11:55 am, Mike Gagnon wrote:
> > You can't place a key without its certificate into a PKCS12. You need
> > both - they are coupled together in this type of file. You can even
> > store certificates that were not created with the supplied key, but at
> > least one of the certificates must "match" the supplied key..
> >
> > Mike
> >
> >
> >
> > I've tried the following and I always get "No certificate matches
> > private key".
> > openssl pkcs12 -in key.pem -out key.pkcs12 -export
> > openssl pkcs12 -in key.pem -out key.pkcs12 -export -nocerts
> > openssl pkcs12 -export -in key.pem -inkey key.pem -out key.pkcs12
> > -nocerts -name "Sample name"
> >
> > The RSA key was originally generated on a Cisco Content Service Switch
> > 11506 w/ a SSL Accelerator module.
> >
> > Please advise.

=2D --=20


Jeremy M. Guthrie
Systems Engineer
Berbee
5520 Research Park Dr.
Madison, WI 53711
Phone: 608-298-1061

Berbee...Decade 1. 1993-2003
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAWzptqtjaBHGZBeURAoShAJ9/MTQ/4m+ERCo3NEtfhkrgXQWLxQCeLXlr
51BxMziLUslijVN0TTBSm1o=3D
=3D4gVS
=2D----END PGP SIGNATURE-----

Mike Gagnon

unread,
Mar 19, 2004, 1:27:46 PM3/19/04
to
ok, that probably means that the key and cert you are using are not related. You need to create a
certificate with your key and use *that* certificate with it. (They must match - and that's what I
mean by match - the key "creates" the certificate)...

Look at the docs for how to generate a certificate - you'll see that a key is used to do so...

Mike


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

openssl pkcs12 -in key.pem -out key.pkcs12 -export -certfile cert.pem
No certificate matches private key


On Friday 19 March 2004 12:19 pm, Mike Gagnon wrote:
> I haven't tried that, but I think that might work. The easiest way is to
> use the certfile option like Amar said...
>
> Mike
>
> so is the idea then that I 'cat key.pem cert.pem > key+cert.pem' and run
> openssl against key+cert.pem?
>
> On Friday 19 March 2004 11:55 am, Mike Gagnon wrote:
> > You can't place a key without its certificate into a PKCS12. You need
> > both - they are coupled together in this type of file. You can even
> > store certificates that were not created with the supplied key, but at
> > least one of the certificates must "match" the supplied key..
> >
> > Mike
> >
> >
> >
> > I've tried the following and I always get "No certificate matches
> > private key".
> > openssl pkcs12 -in key.pem -out key.pkcs12 -export
> > openssl pkcs12 -in key.pem -out key.pkcs12 -export -nocerts
> > openssl pkcs12 -export -in key.pem -inkey key.pem -out key.pkcs12
> > -nocerts -name "Sample name"
> >
> > The RSA key was originally generated on a Cisco Content Service Switch
> > 11506 w/ a SSL Accelerator module.
> >
> > Please advise.

- --

Jeremy M. Guthrie
Systems Engineer
Berbee
5520 Research Park Dr.
Madison, WI 53711
Phone: 608-298-1061

Berbee...Decade 1. 1993-2003
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAWzptqtjaBHGZBeURAoShAJ9/MTQ/4m+ERCo3NEtfhkrgXQWLxQCeLXlr
51BxMziLUslijVN0TTBSm1o=
=4gVS
-----END PGP SIGNATURE-----

Dr. Stephen Henson

unread,
Mar 19, 2004, 1:59:21 PM3/19/04
to
On Fri, Mar 19, 2004, Jeremy M. Guthrie wrote:

>
> openssl pkcs12 -in key.pem -out key.pkcs12 -export -certfile cert.pem
> No certificate matches private key
>

There is actually no requirement in the PKCS#12 standard to include a matching
certificate and private key. However most browsers at the time did weird
things if one wasn't present so OpenSSL required this.

All versions of the OpenSSL pkcs12 utility should be able to extract private
keys from PKCS#12 files whether they have corresponding certificates or not.

In OpenSSL 0.9.7 and earlier however you needed to include a certificate which
matched the given private key when you *create* a PKCS#12 using the -export
option. Creating a self signed certificate is one option.

In 0.9.8-dev you can create a PKCS#12 file including a private key *without*
the corresponding certificate using the -nocerts option.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk

0 new messages